Notes

#1 and #2 are redundant but beware that reading bits from caps may indirectly reveal secrets.
#3 needs qualifications concerning noise.
#6: If code comes from some untrusted source one may need to know what caps it holds before turning it into behavior.
Membranes require searching messages for caps.
#7 is an anti feature, I think.
#8 is necessary if the code to define objects is itself subject to capability discipline.
#9 by indirection, I presume.
Without #14 (C++’s private attribute) and membranes are impossible.

I do not try here to analyze using secrets as capabilities.
I do not claim that secrets cannot serve as capabilities.
The art of using secrets for caps merges onto crypto, which is hard.
Using secrets seems incompatible with some goals such as confinement.

These design freezes effect both (kernel or runtime) and application design.
Some code will not care about #11 thru #16.